CVE-2020-26542 – This vulnerability allows authentication bypass... (How to Fix)

Q: What is the severity of CVE-2020-26542?

CVE-2020-26542 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows authentication bypass in MongoDB Simple LDAP plugin for Percona Server when using SimpleLDAP authentication with Microsoft Active Directory. Attackers can authenticate with blank passwords, gaining access at the level of the authenticating account. Affects systems using Percona Server with Simple LDAP plugin and Active Directory integration.

📋 TL;DR

This vulnerability allows authentication bypass in MongoDB Simple LDAP plugin for Percona Server when using SimpleLDAP authentication with Microsoft Active Directory. Attackers can authenticate with blank passwords, gaining access at the level of the authenticating account. Affects systems using Percona Server with Simple LDAP plugin and Active Directory integration.

💻 Affected Systems

Products:

Percona Server with MongoDB Simple LDAP plugin

Versions: Through 2020-10-02

Operating Systems: All platforms running affected Percona Server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using SimpleLDAP authentication with Microsoft Active Directory; standard authentication methods are not affected.

📦 What is this software?

Percona Server by Percona

View all CVEs affecting Percona Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full Active Directory domain compromise if high-privilege service accounts are vulnerable, leading to data exfiltration, lateral movement, and complete system takeover.

🟠

Likely Case

Unauthorized database access leading to data theft, modification, or deletion, potentially escalating to broader network access.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though authentication bypass still occurs.

🌐 Internet-Facing: HIGH if vulnerable service is exposed to internet, as authentication bypass allows direct unauthorized access.

🏢 Internal Only: HIGH as internal attackers or compromised systems can exploit this to bypass authentication controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and minimal technical skill - simply sending blank password triggers the bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Percona Distribution for MySQL PXC variant 8.0.20 and later updates

Vendor Advisory: https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/

Restart Required: Yes

Instructions:

1. Update to Percona Distribution for MySQL PXC variant 8.0.20 or later. 2. Apply patches from Percona advisory. 3. Restart Percona Server services. 4. Verify authentication now rejects blank passwords.

🔧 Temporary Workarounds

Disable SimpleLDAP Authentication

all

Temporarily disable SimpleLDAP authentication until patching is complete

Modify Percona Server configuration to use alternative authentication methods
Comment out or remove SimpleLDAP configuration lines

Implement Network Controls

all

Restrict access to Percona Server to only trusted networks and systems

Configure firewall rules to limit Percona Server port access
Implement network segmentation

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Enable detailed authentication logging and monitor for blank password attempts

🔍 How to Verify

Check if Vulnerable:

Test authentication with blank password against SimpleLDAP configuration; if successful, system is vulnerable.

Check Version:

mysql --version or check Percona Server version in configuration/management interface

Verify Fix Applied:

Attempt authentication with blank password; should be rejected after patch.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts with blank/empty passwords in Percona Server logs
Successful logins from unexpected sources

Network Indicators:

Authentication traffic to Percona Server with minimal payload size
Unusual database access patterns

SIEM Query:

source="percona_logs" AND (password="" OR auth_failure="blank_password")

📊 Metadata

CVE ID: CVE-2020-26542

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 9, 2020

Last Updated: November 21, 2024

🔗 References

https://jira.percona.com/browse/PS-7358 Issue Tracking,Permissions Required,Vendor Advisory
https://jira.percona.com/browse/PSMDB-726 Issue Tracking,Permissions Required,Vendor Advisory
https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/ Release Notes,Vendor Advisory
https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html Release Notes,Vendor Advisory
https://jira.percona.com/browse/PS-7358 Issue Tracking,Permissions Required,Vendor Advisory
https://jira.percona.com/browse/PSMDB-726 Issue Tracking,Permissions Required,Vendor Advisory
https://www.percona.com/blog/2020/10/13/percona-distribution-for-mysql-pxc-variant-8-0-20-fixes-for-security-vulnerability-release-roundup-october-13-2020/ Release Notes,Vendor Advisory
https://www.percona.com/doc/percona-distribution-mysql/8.0/release-notes-pxc-v8.0.20.upd2.html Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26542, you might also want to check these: